Cybersecurity Challenges to American State and Local Governments

In this paper, we examine cybersecurity challenges to American state and local governments. In particular, we address the extent and magnitude of cyberattacks against these governments, the problems these governments face in preventing attacks from being successful, the barriers to effective cybersecurity that they confront, and actions that they believe should be taken to improve cybersecurity practice. Our research method consisted of a focus group of information technology (IT) and cybersecurity (CS) officials from one American state.

We found that cyberattacks, mostly in the form of malicious emails, are constant, 24/7/365, and can number in the tens of thousands or more per day. Participants in the focus group noted that while they were not perfect at it, they felt that for the most part they had the technical side of cybersecurity under good control. These governments’ biggest cyber challenge is human error; that is, end users who (mostly by mistake and without malice) open an attachment or click on a link in a phishing email that then allows an attacker into the government’s IT system. These governments face several barriers when attempting to prevent cyberattacks and when endeavoring to mitigate successful ones, including: insufficient funding and staffing; problems of governance; and insufficient or under-enforced cybersecurity policies. There are several common sense ways that these, including: frequent vulnerability assessment, continual scanning and testing, securing cybersecurity insurance, improving end user authentication and authorization, better end user training and control, better control over the use of external devices (flash drives, etc.), and improved governance methods, among others. We conclude by making suggestions for further research into state and local government cybersecurity.